LucioMS
commented
1 year ago Fixed by not closing the port until the dev is back at the CLI for error and success cases.
Closed LucioMS closed 1 year ago
LucioMS
commented
1 year ago Fixed by not closing the port until the dev is back at the CLI for error and success cases.
Impact The default browser-based authentication mechanism leaves users vulnerable to a credential hijacking attack, enabling an attacker to gain unauthorised access to a user's Amazon account.
Description The default authentication mechanism used by ASK CLI involves the following steps:
ASK CLI starts a local HTTP server listening on http://localhost:9090/ ASK CLI generates an Amazon sign-in URL with the parameter redirect_uri=http://127.0.0.1:9090/cb, then opens this URL in the user's web browser The user signs in to Amazon in their web browser and enables ASK CLI to access their Amazon account Amazon redirects the user's web browser back to http://127.0.0.1:9090/cb and passes the OAUTH auth code, scope, and state as GET parameters ASK CLI issues a HTTP POST request to https://api.amazon.com/auth/o2/token to obtain an OAUTH access token and refresh token. Another user on the same host can issue a HTTP request to http://127.0.0.1:9090/ and cause the ASK CLI process to terminate and cease listening on TCP port 9090. The attacker can then start their own server on TCP port 9090 and capture the OAUTH auth parameters, enabling them to hijack the OAUTH access token and refresh token. These can then be used to gain unauthorised access to the targeted user's Amazon account.
Stolen credentials could then in turn potentially be used to target the user more directly by injecting malicious code into the Alexa Skills that the user is working on. Reproduction Steps
In a multi-user environment with at least two users:
As user A: Install ASK CLI and run the "ask configure" command, then wait for the console message Listening on http://localhost:9090... and the web browser to open As user B: Issue a HTTP request to http://localhost:9090/ (e.g. using curl, wget, or a web browser) As user B: Start a listener on TCP port 9090 (e.g. using nc -lvv 9090) As user A: Proceed to sign in to Amazon and approve access for ASK CLI. As user A: Close the browser and observe that the ASK CLI command has exited with no errors. As user B: Observe that the OAUTH authentication parameters were received by the listener.